IBM Crypto Education Community

  • 1.  Master Key Loads

    Posted Tue May 03, 2022 09:02 AM
    Hi,

    Very new to using the TKE Smart card option.

    Have followed the video's and managed to create our TEST Domain, Roles, Authorities 10,11,20,21,22 and generate DES Master key parts for our TEST regions [2 LPARS running on two different boxes across 8 CCA cards [4 per box]]. All worked fine using Smart cards and loaded.

    Now keen to repeat the process for our DEV and OAT environments [each environment to have it's own DES MK]

    Have initialised new MK Smart cards for our OAT [7 LPARS on the same two boxes] and DEV [4 LPARS on same 2 boxes] environments using SCUP. Also created the two new Domains [OAT and DEV] on the TKE.

    Unsure of the AUTHORITY 20,21,22 and the need to have them stored on the Smart card with the relevant key parts. 

    Can we just generate new MK key parts onto 3 different cards and authorise them at load time using the Smart cards we generated in the beginning [when we did the TEST Domain] ?   or does the 20,21, 22 authorities need to be with the key parts ?

    If we have to get the authority [signatures] onto the new MK cards, is there a process to copy the authorities already created ? 

    Hope this makes sense.
    Thanks
    Brett

    ------------------------------
    Brett Williams
    ------------------------------


  • 2.  RE: Master Key Loads

    Posted Tue May 03, 2022 05:46 PM
    Hi Brett,
    Sharing comments from @Garry Sullivan who is our lead SME for the TKE Workstation in blue below...


    Hi,

    Very new to using the TKE Smart card option.

    Have followed the video's and managed to create our TEST Domain, Roles, Authorities 10,11,20,21,22 and generate DES Master key parts for our TEST regions [2 LPARS running on two different boxes across 8 CCA cards [4 per box]]. All worked fine using Smart cards and loaded.

    Now keen to repeat the process for our DEV and OAT environments [each environment to have it's own DES MK]

    Have initialised new MK Smart cards for our OAT [7 LPARS on the same two boxes] and DEV [4 LPARS on same 2 boxes] environments using SCUP. Also created the two new Domains [OAT and DEV] on the TKE.

    Unsure of the AUTHORITY 20,21,22 and the need to have them stored on the Smart card with the relevant key parts.

    Can we just generate new MK key parts onto 3 different cards and authorise them at load time using the Smart cards we generated in the beginning [when we did the TEST Domain] ? or does the 20,21, 22 authorities need to be with the key parts ? GS: No it is not required but maybe preferred. You can put the key parts on different smart cards from the ones that hold signing keys. That is common to do. So in your key load process, you could put the smart card with the signing key in reader 1, and the smart card with the key part in reader 2. 

    If we have to get the authority [signatures] onto the new MK cards, is there a process to copy the authorities already created ?

    GS: If the smart cards are in the same zone, just uses this:


    NOTE:  There is a copy smart card feature in the Cryptographic Node Management utility too.  But you would likely use the one ins the TKE application. 

    GS: If the smart cards are not in the same zone, you have to add an alternate zone to the target smart card first:



    ------------------------------
    Eysha Shirrine
    ------------------------------

    Original Message